When I started working on LID — the first proposal for a decentralized web identity system — about eight years ago, I did not just have a set of techie protocols in mind, but a technical architecture with social ramifications:
- people would grab a URL (say
http://upon2020.com/), and set up their personal web presence at that URL, under their own control, using the software they chose;
- that personal web presence could be queried by others (people and software) for information the owner would selectively make available; at that URL (e.g.
http://upon2o2o.com/?lid-xpath=/VCARD/N/GIVENwould return my first name to those people who I decided could have it)
- when visiting a third-party site, I would leave a pointer to my web presence as a form of leaving a business case for “I have been here”. With a bit of crypto around it, that could easily be authenticated and used as single-sign on in a web login flow. The exact same protocol could also be used for API authentication.
Note the logical sequence: because I, as an individual, want to have control over my web presence, I do things in a particular way to accomplish my goals such as selective information sharing and single-sign-on. Because many individuals want to have the same control over their own web presence, a decentralized network of selective, identity-aware, secure, and privacy-protecting information sharing would emerge.
Unfortunately what people mostly picked up from LID and then OpenID was the single-sign-on aspect, ignoring the decentralized “everybody owns their own web presence” aspect (which, of course, is the far more interesting one.) Perhaps it was too radical at the time. In a way, I pitched the Personal Computer to mainframe people who could not conceive of the use for a “personal” computer, but took some inspiration from the single-sign-on aspect, as if mainframe people ignored the invention of a personal computer but took inspiration from the design of its keyboard.
The current way of thinking about internet identity is all about “big site with lots of users” (e.g. Google, Yahoo, Facebook). Their logical sequence of thought by its proponents was, and is: Because I (e.g. Google) want to enable my users to be able to log into other websites without requiring additional accounts, we design a protocol that does that, in a way that maximizes benefits for us as identity provider and our business partner relying parties, while not making it too hard for the user.
Which is why OpenID is so very different today from its roots and much more corporate in nature, why user-centric identity is dead, and while almost all of us who helped start the movement dropped out over the years.
But it seems we’re having a bit of a reunion these days, on the subject of Personal Clouds. Perhaps the idea of cloud computing had to mature further before we could talk about user control over it. Perhaps Facebook, the most non-user-centric identity system ever, had to have a market capitalization of more than $100 billion first, making all its money off monetizing our information. But the signs are in the air, and because the world (and we) have progressed in the meantime, there’s a much better chance of success. I’ll write about it more from now on.
I’m excited again.